Hi Frank,
I was just made aware of your post..
affraid its a bit of a known issue..
NOI inserts the namespace into the FQDN/hostnames as a subdomain..
however standard ingress certificates don't support this :-( , as you noticed.
for normal browser activity , that is not a issue.
but it is an issue if you need to interface (SSL) with the solution. e.h. API/Rest calls.
there are 2 solution to this.
1)if it is just API usage that you need. i suggest you copy the "route" that you need. and remove the namespace/subdomain from the new route. (a bit cumbursome if you need multiple routes...-
2) if you need a more permanent option. i suggest you create a new ingress certificate that supports BOTH SAN
*.apps.ovv.mynet.foo
*.example-noi.apps.ovv.mynet.foo
https://docs.openshift.com/container-platform/4.1/authentication/certificates/replacing-default-ingress-certificate.html
but this doesnt say how to create the certificate..
but a hint could be here:
https://www.richardwalker.dev/openshift-certificates.html
hope it helps..
Mario
------------------------------
mario schuerewegen
IBM
Brussels
(3249) 528-1079
------------------------------
Original Message:
Sent: Wed March 31, 2021 09:34 AM
From: Frank Tate
Subject: Certificate problem with certificates in Watson AIOps 2.0 Event Manager on OpenShift 4.7
Hi all,
I just installed Watson AIOps 2.0 Event Manager (NOI) on an OpenShift 4.7 cluster. Everything installed really nicely (great job, IBM), but my browsers and curl tell me that the server certificates are invalid. I can get around this using the MS Edge browser, but Firefox won't let me just add an exception for the site because HSTS is being enforced.
I have installed the ingress CA certificate, and that is seen as valid. What's not valid is the server certificate presented by the applications. Specifically, the certificate has a Subject Alternative Name (SAN) valeu of
DNS_NAME=*.apps.ovv.mynet.foo
(and I have that wildcard record correctly defined in DNS - I'm using dnsmasq on a Linux machine for my DNS and dhcp).
However, the URL I need to access is:
https://netcool.example-noi.apps.ovv.mynet.foo
In researching a little, I found that a certificate with this SAN is only good for hostnames like "myhost.apps.ovv.mynet.foo", but NOT for hosts in a subdomain like "myotherhost.example-noi.apps.ovv.mynet.foo".
Are others encountering this problem? Is this an issue with OpenShift 4.7? Is there an easy fix?
Thanks,
Frank
------------------------------
Frank Tate
Gulfsoft Consulting
------------------------------